Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site and Remote VPN

I am preparing to configure a couple of PIX 515E firewalls to establish a LAN-to-LAN (site-to-site) VPN. Each of these firewalls must also support remote Cisco 3.X vpn client connectivity. Among my questions is: will the "isakmp identity key" command work for both remote (dynamic address) users as well as the site-to-site (static address) connections? And with the vpngroup configuration commands, do I still require "isakmp client configuration address-pool local..."? I have included the FW configs below for any additional comments or suggestions:

! PA VPN Configuration

!

isakmp enable outside

sysopt connection permit-ipsec

!

crypto ipsec transform-set btrans esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set btrans

crypto dynamic-map dynmap 10 match address b2remote

!

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.210.0 255.255.255.0

!

access-list b2v permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list b2v permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

!

access-list b2remote permit ip 192.168.1.0 255.255.255.0 192.168.210.0 255.255.255.0

access-list b2remote permit ip 192.168.210.0 255.255.255.0 192.168.1.0 255.255.255.0

!

! Use crypto-map sequence 10 for PIX to PIX

!

crypto map bc 10 ipsec-isakmp

crypto map bc 10 match address b2v

crypto map bc 10 set peer xx.xx.24.161

crypto map bc 10 set transform-set btrans

!

! Use crypto-map sequence 50 for PIX to VPN Client

!

crypto map bc 50 ipsec-isakmp dynamic dynmap

!

crypto map bc interface outside

!

nat (inside) 0 access-list nonat

!

isakmp key ************ address xx.xx.24.161 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******* address 0.0.0.0 netmask 0.0.0.0

!

isakmp identity address

!

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 43200

!

!--- IPSec group configuration for VPN Client

!

vpngroup remote address-pool ippool

vpngroup remote dns-server 192.168.1.x

vpngroup remote wins-server 192.168.1.x

vpngroup remote default-domain **.com

vpngroup remote idle-time 1800

vpngroup remote password **********

!

ip local pool ippool 192.168.210.0 - 192.168.210.254

**********************************************************************************

! NJ VPN Configuration

!

isakmp enable outside

sysopt connection permit-ipsec

!

crypto ipsec transform-set vtrans esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set vtrans

crypto dynamic-map dynmap 30 match address v2remote

!

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.211.0 255.255.255.0

!

access-list v2b permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list v2b permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list v2b permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list v2b permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0

!

access-list v2remote permit ip 192.168.100.0 255.255.255.0 192.168.211.0 255.255.255.0

access-list v2remote permit ip 192.168.211.0 255.255.255.0 192.168.100.0 255.255.255.0

!

! Use crypto-map sequence 10 for PIX to PIX

!

crypto map vnj 10 ipsec-isakmp

crypto map vnj 10 match address v2b

crypto map vnj 10 set peer xx.xx.36.118

crypto map vnj 10 set transform-set vtrans

!

! Use crypto-map sequence 50 for PIX to VPN Client

!

crypto map vnj 50 ipsec-isakmp dynamic dynmap

!

crypto map vnj interface outside

!

nat (inside) 0 access-list nonat

!

isakmp key ************ address xx.xx.36.118 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******* address 0.0.0.0 netmask 0.0.0.0

!

isakmp identity address

!

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 43200

!

!--- IPSec group configuration for VPN Client

!

vpngroup remote address-pool ippool

vpngroup remote dns-server 192.168.1.x

vpngroup remote wins-server 192.168.1.x

vpngroup remote default-domain **.com

vpngroup remote idle-time 1800

vpngroup remote password **********

!

ip local pool ippool 192.168.211.0 - 192.168.211.254

1 REPLY
New Member

Re: Site-to-Site and Remote VPN

Also, do I need to include the following commands . . .

crypto map client configuration address initiate

crypto map client configuration address respond

. . . in order to make this config work?

106
Views
0
Helpful
1
Replies
CreatePlease login to create content